Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PayPal and Venmo phishing: are your account controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Phishing pages spoofing PayPal and Venmo showed how attackers exploit user trust, with fake PayPal websites rising to 61,226 by March 2020 and 14,766 SSL certificates used on phishing sites by March 2017, according to the source article and BleepingComputer. The real lesson is that browser cues and password reuse still fail without phishing-resistant authentication and stronger account hygiene.

NHIMG editorial — based on content published by Bitwarden: how to spot potential hacking attempts and secure PayPal or Venmo accounts

By the numbers:

Questions worth separating out

Q: How should security teams reduce phishing success for high-value accounts?

A: Use phishing-resistant MFA, not SMS, for accounts that can reach money, customer data, or administrative settings.

Q: Why do SMS-based login codes remain risky for account protection?

A: SMS codes can be intercepted, redirected, or captured through SIM-jacking, so they are better than passwords alone but still vulnerable to attack.

Q: What do users get wrong about the browser padlock symbol?

A: They often treat the padlock as proof that a site is genuine, when it only shows that the connection is encrypted.

Practitioner guidance

  • Prioritise phishing-resistant MFA for high-value accounts Move from SMS-based second factors to authenticator apps or other phishing-resistant methods wherever possible, especially for accounts tied to payment methods or sensitive personal data.
  • Review and revoke trusted devices regularly Give users an easy way to inspect remembered devices and active sessions, then revoke anything they do not recognise before an attacker can persist.
  • Store recovery codes separately from login credentials Place backup codes in a secure note or equivalent protected store so account recovery does not depend on the same channel that could already be compromised.

What's in the full article

Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step PayPal and Venmo security settings that show exactly where to enable stronger verification flows
  • Practical guidance on storing and protecting backup codes inside Bitwarden Secure Notes
  • Hands-on explanation of how the integrated Bitwarden Authenticator generates TOTP codes for login protection
  • Screen-by-screen guidance for checking remembered devices and sessions on Venmo

👉 Read Bitwarden's guide to securing PayPal and Venmo accounts →

PayPal and Venmo phishing: are your account controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Consumer phishing is still an identity governance problem, not just a user-awareness problem. The article shows that attackers do not need to break encryption to break trust. They only need a believable session entry point and a user who has been trained to rely on superficial cues such as padlocks and familiar branding. For IAM teams, the lesson is that authentication design must assume deception at the first touchpoint, not after the login succeeds.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • The same report says enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity weaknesses compound.

A question worth separating out:

Q: How can organisations limit damage after a phishing login succeeds?

A: Make session and device review part of account governance. Users should be able to see remembered devices, revoke unknown sessions, and recover access without relying on the same compromised channel. That reduces the attacker’s persistence window and helps contain the blast radius of the original compromise.

👉 Read our full editorial: PayPal and Venmo phishing shows why account security still fails



   
ReplyQuote
Share: